Six years on, and it's time to rewrite this sucker from the perspective of 2015 (and a lot more personal experience in the world of commercial CAs).
First off, as far as EV certificates inspiring trust, the answer is (still) "no, not really". Independent studies of EV certificates just don't show a meaningful impact amongst typical consumers. Peter Gutmann's book, Engineering Security, is largely an 800 page rant against CAs in general, and it has a lot of references to the (in)effectiveness of EV certificates in influencing safe user behaviour throughout the text, with the highest density in the section entitled "EV Certificates: PKI-me-harder" starting on page 72.
On the other side of the argument, the parties who have the most to gain from proving EV certificate efficacy (the CAs who sell them) can't come up with any compelling evidence, either. The "best" collection of EV case studies I could dig up is amusingly long on unfounded assertion and woefully short on any sort of useful data.
As for whether EV certificates actually do anything useful to fight fraud, I'll go back to Peter Gutmann again:
The introduction [...] of so-called high-assurance or extended validation (EV) certificates [...] is simply a case of rounding up twice the usual number of suspects — presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting.
To put it another way, that you know, for sure and certain, that the site you're communicating with is "Honest Achmed's Drug Bazaar and Fishmarket, Inc", of Tashkent, Uzbekistan, doesn't say anything about whether Achmed is going to do the bunk with your credit card details and private information. An EV certificate also doesn't say anything useful about the security practices of the organisation: while ashleymadison.com
uses a wildcard DV cert, it is (and was) entirely capable of getting an EV certificate, and everyone's private peccadillos would still be downloadable if they'd been running an EV cert all along.
Finally, for what it's worth, EV certificates are issued after (some) more validation beyond what is done for domain validated (DV) or organisation validated (OV) certs. What is being validated isn't actually all that important, but you can be reasonably sure that someone has gone to some reasonable amount of trouble to make the organisation named in the green bar appear to exist.
In order to download the certificate, you need to use the client built into openssl like so:
echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
| openssl x509 > /tmp/$SERVERNAME.cert
That will save the certificate to /tmp/$SERVERNAME.cert
.
The -servername
is used to select the correct certificate when multiple are presented, in the case of SNI.
You can use -showcerts
if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts
. The x509
at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p'
instead of the x509 at the end.
echo -n
gives a response to the server, so that the connection is released
openssl x509
removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.
Best Answer
Marketing hype (and cost). This is not part of the spec. This is from Wikipedia:
http://en.wikipedia.org/wiki/Public_key_certificate
Vendor defined classes
VeriSign uses the concept of classes for different types of digital certificates [3]:
Other vendors may choose to use different classes or no classes at all as this is not specified in the SSL protocol, though, most do opt to use classes in some form.
This is new(ish). They used to actually verify all requests to make sure you were who you said you were. This has gone by the wayside so you can get a cert in a few minutes instead of a few days.